The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from external sources, creating a significant attack surface.
Ingestion points: Uses Read, Grep, and Glob for local files, and mcp__playwright__* (e.g., browser_navigate, browser_snapshot) for remote web content.
Boundary markers: No explicit delimiters or instructions are provided to help the agent distinguish between its debugging process and potentially malicious instructions embedded in the code or web pages it analyzes.
Capability inventory: The skill allows access to Bash, Edit, and full browser automation via Playwright.
Sanitization: There is no mention of sanitizing or validating the content retrieved from external sources before processing.
Risk: An attacker could embed instructions in a codebase or a website that, when read during a debugging session, trigger the agent to execute malicious commands via Bash or modify sensitive files via Edit.
Command Execution (MEDIUM): The skill explicitly allows the Bash tool. While necessary for many debugging tasks, the lack of constraints or sandboxing instructions, combined with the ingestion of untrusted content, elevates the risk of arbitrary code execution if the agent is compromised.

systematic-debugging